New security issues surface as Sebelius testifies

Wednesday

Oct 30, 2013 at 12:01 AMOct 30, 2013 at 8:45 PM

WASHINGTON (AP) - President Barack Obama's embattled top health official declared herself accountable Wednesday for failures of the much-maligned health insurance website as a newly surfaced government memo pointed to security concerns that were laid out just days before its launch.

WASHINGTON (AP) — President Barack Obama's embattled top health official declared herself accountable Wednesday for failures of the much-maligned health insurance website as a newly surfaced government memo pointed to security concerns that were laid out just days before its launch.

Despite the problems, Health and Human Services Secretary Kathleen Sebelius defended the health care overhaul, the signature legislative accomplishment of Obama's first term. She said the website problems will be fixed by Nov. 30 and gaining health insurance will make a positive difference in the lives of millions of Americans.

The website HealthCare.gov was still experiencing outages, even as Sebelius was testifying to the House Energy and Commerce Committee that "I'm responsible." And she faced a new range of questions about an internal memo from her department that revealed the troubled website was granted a temporary security certificate on Sept. 27, just four days before it went live on Oct. 1.

The memo, obtained by The Associated Press, said incomplete testing created uncertainties that posed a potentially high security risk for the website. It called for a six-month "mitigation" program, including ongoing monitoring and testing.

Republicans opposed to Obama's health care law are calling for Sebelius to resign. She apologized to people having trouble signing up but told the committee that the technical issues that led to frozen screens and error messages are being cleared up on a daily basis.

Security issues raise major new concerns on top of the long list of technical problems the administration is grappling with.

"You accepted a risk on behalf of every user ... that put their personal financial information at risk," Rep. Mike Rogers, R-Mich., told Sebelius, citing the memo. "Amazon would never do this. ProFlowers would never do this. Kayak would never do this. This is completely an unacceptable level of security."

Sebelius countered that the system is secure, even though the site's certificate, known in government parlance as an "authority to operate," is of a temporary nature. A permanent certificate will be issued only when all security issues are addressed, she stressed.

Spokeswoman Joanne Peters added separately: "When consumers fill out their online ... applications, they can trust that the information they're providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure. Security testing happens on an ongoing basis using industry best practices."

The security certificate is required under longstanding federal policy before any government computer system can process, store or transmit agency data. The temporary certificate was approved by Medicare chief Marilyn Tavenner, the senior HHS official closest to the rollout. No major security breaches have been reported.

The memo said, "From a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk for the (federal marketplace website)."

It recommended setting up a security team to address risks and conduct daily tests, and said a full security test should be conducted within two to three months of the website going live.

A separate page stated that "the mitigation plan does not reduce the risk to the (website) itself going into operation on October 1, 2013. However, the added protections do reduce the risk to the overall Marketplace operations and will ensure that the ... system is completely tested within the next 6 months."

That page was signed by three senior technical officials below Tavenner at the Centers for Medicare and Medicaid Services. All the officials deal with information security issues.

Sebelius' forthright statement about her ultimate accountability for problems with the sign-up rollout came as Rep. Marsha Blackburn, R-Tenn., peppered her with questions about the "debacle."

Rep. Henry Waxman of California, the ranking Democrat on the committee, scoffed at Republican "oversight" of a law they have repeatedly tried to repeal.

"I would urge my colleagues to stop hyperventilating," said Waxman. "The problems with HealthCare.gov are unfortunate and we should investigate them, but they will be fixed. And then every American will have, finally have, access to affordable health insurance."

The website HealthCare.gov was intended to be the online gateway to coverage for millions of uninsured Americans, as well those who already purchase their policies individually. Many people in the latter group will have to get new insurance next year, because their policies do not meet the standards of the new law.

Throughout the 3 ½-hour hearing, Sebelius was respectful, often addressing lawmakers as "sir" or "congresswoman." She kept her cool as some lawmakers repeatedly cut off her answers. But she did not shy a few times from tersely interjecting her views while a member was speaking.

The standing-room-only hearing room was silent when she swore an oath to tell the truth and began her opening statement.

She parried questions about problems with the website as well as a wave of cancellation notices hitting individuals and small businesses who buy their own insurance. Those notices are coming because many existing individual policies are too skimpy to meet the law's requirements. The administration says consumers affected will be able to find better coverage.

Lawmakers also wanted to know how many people have enrolled in plans through the health insurance marketplaces. Sebelius stuck with the administration response, promising to release the data in mid-November.

Starting Jan. 1, most Americans will be required to carry health insurance or face fines. At the same time, insurance companies will no longer be able to turn away people in poor health. The law provides subsidized private insurance for middle-class people who don't get health care on the job. Low-income people can access an expanded version of Medicaid in states that agree to expand that safety net program.